Skip to main content

Skillber v1.0 is here!

Learn more

Incident Response Preparation

Checking access...

Preparation determines the success or failure of every incident response. The 2024 Ponemon Cost of a Data Breach Report found that organisations with a tested IR plan contain breaches 54 days faster and save $2.66 million compared to those without. Yet only 39% of organisations test their IR plan annually.

This page covers the practical components of IR preparation: the plan itself, team roles, communication, playbooks, tools, and exercises.

The IR Plan Document

The incident response plan is the foundational document that defines how the organisation will handle security incidents. It should be:

  • Executive-approved — has organisational authority
  • Practical — usable under pressure, not a theoretical document
  • Concise — core plan is 5-10 pages; appendices contain details
  • Tested — validated through exercises, not just reviewed in meetings

IR Plan Outline

SectionContentWhy It Matters
1. Purpose & ScopeWhy the plan exists, what it covers (systems, data, locations)Defines the boundaries of IR responsibility
2. Roles & ResponsibilitiesIR team members, their roles, and authoritiesEnsures everyone knows what to do
3. Severity ClassificationDefinition of Critical/High/Medium/Low incidentsEnables consistent triage and escalation
4. Escalation & CommunicationCall tree, communication channels, notification templatesEnsures the right people are informed at the right time
5. Incident Response ProceduresPhased response steps (Detect → Triage → Contain → Eradicate → Recover)Provides the operational playbook
6. Post-Incident ActivityPost-mortem process, improvement trackingCloses the learning loop
7. AppendicesContact lists, playbooks, tool guides, regulatory obligationsReference material for during-incident use

Roles and Responsibilities

RoleResponsibilityPrimaryAlternate
IR LeadOverall incident management, decisions, escalationDirector of SecuritySecurity Manager
Triage Lead (L2)Technical analysis, scoping, containmentSr. Security AnalystSecurity Analyst
L1 AnalystsInitial alert triage, monitoringSOC Analyst (2)SOC Analyst (1)
Forensic ExaminerEvidence collection, preservation, analysisForensics LeadExternal Forensics
Legal CounselLegal guidance, privilege, regulatory notificationGeneral CounselExternal Counsel
Communications LeadInternal/external communications, PRPR DirectorMarketing Lead
Executive SponsorBusiness decisions, resource approvalCISOCIO
HR LiaisonPersonnel actions (if insider involved)HR DirectorHR Manager
IT OperationsSystem restoration, network changesIT DirectorSr. Engineer

Communication Plan

A communication plan defines who needs to be notified, when, and through what channel. The key principle: communicate early and often, even if the full picture is not yet clear.

Internal Communication

TriggerNotifyChannelTiming
Critical incident detectedIR Lead, L2 Lead, LegalPhone callImmediately (< 5 min)
Confirmed breachExecutive Sponsor, CISO, CIOPhone callWithin 15 min
Containment decision neededIR Lead + Executive SponsorPhone or secure meetingWithin 30 min
Business impact assessmentDepartment heads, IT OpsSecure chat + emailWithin 1 hour
Employee notification (if affected)HR + Legal + CommunicationsEmail + intranetAfter containment
Board notificationCISO → CEO → BoardSecure reportPer governance schedule

External Communication

AudienceMessage TypeApprovalTiming
Regulators (ICO, SEC, CISA)Mandatory breach notificationLegal + ExecutivePer regulatory timeline (e.g., GDPR: 72 hours)
Law enforcement (FBI, CISA)Voluntary or mandatory reportingLegal + ExecutiveDuring/after containment
Customers (if PII affected)Breach notificationLegal + PR + ExecutivePer regulatory + PR strategy
Partners/VendorsOperational impact noticeBusiness ownerAfter containment
Media/PublicPress statementPR + Legal + ExecutiveCoordinated — single voice

Call Tree

The call tree is the structured escalation path used to activate the IR team. Every member must have primary and alternate contact methods:

IR Lead
├── L2 Lead
│ ├── L1 Analyst 1
│ │ └── L1 Analyst 2 (backup)
│ ├── L1 Analyst 3 (off-hours)
│ └── Forensic Examiner
├── Legal Counsel
├── Communications Lead
├── IT Operations Lead
└── Executive Sponsor (CISO)
└── CIO / CEO (on CISO's judgement)

Tip

Test your call tree quarterly. In one real-world exercise, 40% of IR team members had outdated phone numbers. A broken call tree means a delayed response — and delayed response means deeper compromise.

IR Playbooks

Playbooks (also called runbooks or SOPs) provide step-by-step procedures for handling specific incident types. They ensure consistent, repeatable response regardless of which analyst is on shift.

Phishing Incident Playbook

2.1
# PHISHING INCIDENT PLAYBOOK
# Last Reviewed: 2026-01-16
## Step 1: User Reports Suspicious Email
- [ ] Acknowledge receipt of the report within 5 minutes
- [ ] Instruct user not to click any links or reply to the email
- [ ] If user clicked the link: escalate to Step 2b (confirmed compromise)
- [ ] If user did not click: proceed to Step 2a (suspected phishing)
## Step 2a: Suspected Phishing (No Click)
- [ ] Extract headers and forward to SOC (Phish@org.com)
- [ ] SOC analyst extracts URLs from email body
- [ ] Submit URLs to VirusTotal for analysis
- [ ] Check URLs against threat intelligence feeds
- [ ] Check email authentication (SPF, DKIM, DMARC) in headers
- [ ] Determine if this is a targeted (spear) or mass phishing campaign
- [ ] If mass phishing: search mail logs for same email sent to other users
- [ ] Block sender domain at email gateway
- [ ] If URLs are malicious: block at proxy/web gateway
- [ ] Report to employees via internal communication
- [ ] Close ticket as "Suspected Phishing — Blocked"
## Step 2b: Confirmed Compromise (User Clicked Link)
- [ ] IMMEDIATE: Isolate affected user workstation (via EDR)
- [ ] IMMEDIATE: Disable user account (prevent lateral movement)
- [ ] IMMEDIATE: Reset user's Active Directory password
- [ ] IMMEDIATE: Revoke all active session tokens (O365, SaaS apps)
- [ ] Determine if user entered credentials on phishing page
- [ ] If credentials were entered:
- [ ] Check for unusual email forwarding rules
- [ ] Check for mailbox login from unusual IPs
- [ ] Search sent items for replies to attacker
- [ ] Review OAuth application grants
- [ ] Check for access to sensitive data (finance, HR, IP)
- [ ] If malware was downloaded/executed:
- [ ] Capture the sample for analysis
- [ ] Run EDR full scan on affected host
- [ ] Check for lateral movement from the host
- [ ] Check for persistence mechanisms
- [ ] Escalate to L3 for deep analysis
- [ ] Document all findings in incident ticket
- [ ] Determine escalation to IR Lead for broader containment
## Step 3: Remediation
- [ ] Remove phishing email from all affected mailboxes
- [ ] Update email security rules to block similar campaigns
- [ ] Deploy IoCs (domains, hashes, IPs) to detection systems
- [ ] If malware: reimage the affected workstation(s)
- [ ] Notify affected users of account actions taken
## Step 4: Post-Incident
- [ ] Conduct post-mortem within 5 business days
- [ ] Update phishing playbook based on lessons learned
- [ ] Report metrics to security leadership
- [ ] Add phishing simulation training for affected department

Playbook Coverage

PlaybookPriorityTest FrequencyLast Updated
Phishing / Email CompromiseP1Quarterly2026-01-16
RansomwareP1Quarterly2026-01-10
Data ExfiltrationP1Semi-annual2025-11-20
Unauthorised AccessP2Semi-annual2025-10-15
DDoSP2Annual2025-09-01
Insider ThreatP2Annual2025-08-15
Malware OutbreakP1Quarterly2026-01-05
Supply Chain CompromiseP3Annual2025-07-01

IR Tools

Every IR team needs a toolkit pre-deployed and tested before an incident occurs:

Tool CategoryToolPurposePre-Deploy Required?
EDRCrowdStrike Falcon, SentinelOne, Defender for EndpointEndpoint visibility, isolation, responseYes — agent on all endpoints
SIEMSplunk, Sentinel, ElasticLog aggregation, correlation, alertingYes — all logs ingested
SOARSplunk SOAR, Palo Alto XSOAR, TinesPlaybook automation, case managementYes — playbooks pre-built
ForensicsFTK Imager, Autopsy, VolatilityMemory and disk analysisYes — on forensic workstation
Network captureWireshark, tcpdump, netsh tracePacket capture and analysisYes — on forensic workstation
Secure commsSignal, Wickr, Teams private channelEncrypted communication during IRYes — channels pre-created
Ticket systemServiceNow, Jira, RTIncident tracking, evidence loggingYes — integrated with SOAR
Knowledge baseConfluence, SharePoint, GitBookPlaybooks, procedures, referenceYes — playbooks accessible offline
Hash databaseVirusTotal, Team Cymru, local hash repoFile reputation lookupsYes — API keys configured
Threat intelRecorded Future, MISP, OTXIoC enrichmentYes — feeds integrated with SIEM

Tabletop Exercises

A tabletop exercise (TTX) is a discussion-based simulation where the IR team walks through an incident scenario without touching production systems. TTX is the most cost-effective way to validate IR readiness.

Sample Tabletop Scenario Card

# SCENARIO CARD: RANSOMWARE — FINANCE DEPARTMENT
## Background
It's 9:00 AM on a Monday. Your organisation (a mid-size financial services
firm with 2,000 employees) has just completed a busy quarter-end close.
## Trigger
The SOC L1 analyst calls you (IR Lead) with the following:
- 20 servers in the finance department are showing mass file rename events
- Files are being renamed with extension .encrypted
- Ransom notes named "READ_ME_NOW.html" appearing on shared drives
- The CFO's executive assistant reports she cannot open her Excel files
## Questions for the Team
1. What is your immediate action? (first 5 minutes)
2. Activate the call tree — who do you call first?
3. Do you isolate the affected servers or investigate first?
4. Do you shut down the network to prevent spread?
5. How do you communicate with the CFO who is demanding answers?
6. When do you notify law enforcement?
7. Does your cyber insurance policy require specific actions?
8. How do you determine if clean backups exist?
## Inject (10 minutes into scenario)
The attacker has posted 5GB of stolen data to a ransomware leak site.
The stolen data includes customer PII.
## Questions Part 2
9. How does this change your response?
10. Do you pay the ransom? Who makes that decision?
11. What do you tell customers? When?
12. What regulators must you notify? (GDPR? SEC? CISA?)
13. How do you communicate externally without tipping off the attacker?
## Hotwash (Debrief Questions)
- Did the call tree work? Were alternates reachable?
- Were the playbooks followed? Did they help or hinder?
- What decisions required information you didn't have?
- What would you do differently?

TTX Schedule

TypeFrequencyDurationParticipantsFocus
Discussion-based TTXQuarterly1-2 hoursIR team + key stakeholdersProcess and decision-making
Functional TTXSemi-annual2-4 hoursIR team + IT opsTechnical response steps
Full-scale simulationAnnual4-8 hoursFull organisationEnd-to-end IR with live tools

Caution

A tabletop exercise that everyone agrees went perfectly means you didn’t push hard enough. The purpose of TTX is to find gaps — not to validate that everything works. If you didn’t find at least three improvement items, your scenario was too easy.

Key Takeaways

  • The IR plan is the foundational document — concise, practical, and approved by leadership. It defines scope, roles, severity, escalation, and procedures
  • Roles must be defined with primary and alternate contacts — every role needs a trained backup
  • Communication plans cover internal (leadership, legal, HR) and external (regulators, customers, media) audiences with specific timelines
  • Playbooks provide step-by-step procedures for common incident types — test them quarterly
  • Tools must be pre-deployed and pre-integrated — during an incident is not the time to discover that the SOAR doesn’t talk to the SIEM
  • Tabletop exercises are the most effective way to validate IR readiness — run them quarterly and make them challenging enough to find gaps